[jira] [Comment Edited] (SHIRO-801) Shiro blocks requests with non-ACII characters in the URL path

Fri, 20 Nov 2020 07:56:03 -0800 


    [ 
https://issues.apache.org/jira/browse/SHIRO-801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236254#comment-17236254
 ] 

Brian Demers edited comment on SHIRO-801 at 11/20/20, 3:55 PM:
---------------------------------------------------------------

There are a few unicode based attacks, 
[https://owasp.org/www-community/attacks/Unicode_Encoding]

That doesn't mean that your application is susceptible to them (but that is 
specific to your application), to revert to the previous behavior, you can set

{{invalidRequest.blockNonAscii = false}}

See: [https://shiro.apache.org/web.html#global-filters]

 


was (Author: bdemers):
There are a few unicode based attacks, 
[https://owasp.org/www-community/attacks/Unicode_Encoding]

That doesn't mean that your application is susceptible to them, to revert the 
previous behavior, you can set

{{invalidRequest.blockNonAscii = false}}

See: https://shiro.apache.org/web.html#global-filters

> Shiro blocks requests with non-ACII characters in the URL path
> --------------------------------------------------------------
>
>                 Key: SHIRO-801
>                 URL: https://issues.apache.org/jira/browse/SHIRO-801
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Tuure Laurinolli
>            Priority: Major
>
> When trying to upgrade to Shiro 1.7.0 we noticed that some of our tests 
> started failing. The tests validate that scandinavian characters (äöå) can be 
> used in object ids in our system.
> It appears that SHIRO-794 changed URL validation so that scandinavian 
> characters are no longer allowed in the decoded path component of the URL. 
> The relevant code change is 
> [https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7|https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7.]
> Is there some reason to not allow non-ASCII characters in the URL path?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to